First American Financial Corp. Data Records Leak

Krebs on Security is reporting a massive data leak by the real estate title insurance company First American Financial Corp.

"The title insurance agency collects all kinds of documents from both the buyer and seller, including Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you're a small business. You give them all kinds of private information and you expect that to stay private."

Shoval shared a document link he'd been given by First American from a recent transaction, which referenced a record number that was nine digits long and dated April 2019. Modifying the document number in his link by numbers in either direction yielded other peoples' records before or after the same date and time, indicating the document numbers may have been issued sequentially.

The earliest document number available on the site -- 000000075 -- referenced a real estate transaction from 2003. From there, the dates on the documents get closer to real time with each forward increment in the record number.

This is not an uncommon vulnerability: documents without security, just "protected" by a unique serial number that ends up being easily guessable.

Krebs has no evidence that anyone harvested all this data, but that's not the point. The company said this in a statement: "At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers' information." That's obviously not true; security and privacy are probably pretty low priorities for the company. This is basic stuff, and companies like First America Corp. should be held liable for their poor security practices.

Posted on May 28, 2019 at 9:59 AM • 18 Comments

Comments

PatriotMay 28, 2019 11:15 AM

Reminds me of the Office of Personnel Management breach in 2015: in scale, in importance, in sheer ineptitude.

The default reaction is: it did not happen. And then: well, it is not so bad. And then: your security matters to us. And then: here is some free credit reporting. Good luck.

SpellucciMay 28, 2019 11:55 AM

What do we do to protect ourselves from this nonsense? Bring a document to the closing for the title insurance company, bank, and real estate company to each sign, saying, "If you leak my information, you owe me $1,000,000?"

JamesMay 28, 2019 12:50 PM

As i said before, those are far worse then any breach at some social media crap.
"At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers' information." - That's what they all say, and it's obviously bullshit.

@Spellucci: Yeah, it think that might be a perfectly good idea. $1M * "hundreds of millions customers" = get out of business and straight to prison. That's what should happen if you work with sensitive personal information and you "lose" it. Unfortunately i don't see that happening any time soon.

TMay 28, 2019 12:51 PM

If security is indeed their highest priority, and they were this bad at it, think about how bad they are at the rest of what they do.

RjMay 28, 2019 2:35 PM

Unfortunately, you cannot sue them unless you can show that you have been "damaged" by the occurrance. You must have suffered a monetary loss, or a loss, such as "pain and suffering" that can be compensated by a monetary payment. Without this, you are without recourse, so far as suing them goes.

Security is economic at most companies. They don't pay much attention to it until something bad happens to them, then they realize that it was more important than they thought. That's why their first response is to deflect the accusations. Until somebody can show real monetary loss because of such an occurrance, the civil law does not haelp very much.

You can, however, seek revenge, if that is compensation enough for you, by giving them bad reviews, bad press, or whatever other bad publicity you can afford to pay for. Just make sure your activities do not subject you to a libel suit. Make sure every thing you say is the truth!

JamesMay 28, 2019 2:38 PM

@Rj: Thats the problem. Those f*ckups should become criminal offcences and punishable as such.

WeatherMay 28, 2019 3:29 PM

They hire a local technology firm, too make the website, is it just seeking new customers, by lack in the field, after ten years I have no fathom of what the (new phone out is),
Its sales, you can be brought up with technology and spend 7 months selling phone, tablets and computers, do you really thing they will need to hire someone that has study the technology,
Regulations will great a new market, but that's twenty years down the track, but I think that's what it takes (time)

Security SamMay 28, 2019 7:04 PM

This will look like child's play
Compared to what Real ID will do
When all the states plug and play
The privacy will be in plain view.

EstebanMay 28, 2019 7:59 PM

I'll post Bruce's line from a recent article: "The companies you do business with have no real incentive to secure your data."

That is true. There is little recourse if someone uses my personal information gleaned from FirstAm. Despite the fact I had to bring documents to prove my identify, sign multiple documents to secure the builder and mortgage company during the title transfer, FirstAm just leaves it all out there. And there is nothing I can do about it.

Nope unless there are hard penalties for this stuff with regs and case law to back it up, they have no incentive whatsoever.

But lucky me I might get a year of free credit monitoring - the barn is on fire, the horse is gone, and they offer to close the barn door for me.

IsmarMay 28, 2019 8:30 PM

There is also another side to this as our personal data becomes readily available to almost anyone, we can then be excused in arguing we have not done certain things as we see fit and opt for plausible denial ability instead. In other words, the whole system becomes broken so let’s us see how we all fare then- maybe some other model emerges out of sheer necessity

PatriotMay 29, 2019 2:38 AM

"The companies you do business with have no real incentive to secure your data."

Right, and neither does the U.S. Government.

When James Clapper said something along the lines of, "you gotta hand it to the Chinese", after the OPM breach, I had an epiphany about where America is headed. In short, no one is being held accountable up the food chain, either in government or in industry.

JeremyMay 29, 2019 6:36 AM

That's what should happen if you work with sensitive personal information and you "lose" it.

But they didn't even "lose" it.

They published it.

JamesMay 29, 2019 6:47 AM

@Jeremy: "lose" it, publish it, sell/share it without express consent, there's no difference. The effect is the same, and so should be the punishment. Until the laws are changed to make the management of those companies criminally responsible and also hit their pockets hard, nothing will change, they still won't give a crap about their customers.

kronosMay 29, 2019 8:03 AM

@Esteban: But lucky me I might get a year of free credit monitoring - the barn is on fire, the horse is gone, and they offer to close the barn door for me.

Good analogy, but I'd say they offer you a cheap padlock for the barn door ... that was lost in the fire.

AlejandroMay 29, 2019 9:31 AM

Any company that posts a statement anything similar to "security, privacy and confidentiality are of the highest priority and we are committed to protecting our customer's information" and then is found to intentionally or negligently leak personal data, or allow a easily preventable hack ought to be subject to MASSIVE criminal and/or civil penalties.

But, of course, the corporations run the government now or have it bought off.

It makes me sick to read those boilerplate disclaimers over and over that have no real meaning or accountability.

Matt from CTMay 29, 2019 1:43 PM

>What do we do to protect ourselves from this nonsense? Bring a document to the closing for the title insurance company, bank, and real estate company to each sign, saying, "If you leak my information, you owe me $1,000,000?"

I sweet naivete...

Smaller title insurance companies are owned by the lawyers doing your closing.

Larger title insurance companies give your lawyers commissions.

https://www.catic.com/

https://madisonrecord.com/stories/511118921-illinois-supreme-court-deadlocks-on-whether-title-companies-attorney-payments-are-kickbacks

Good luck getting your lawyer who also making money off the title insurance agreeing to insert that rider.

TruePathMay 30, 2019 8:29 PM

How could one usefully hold companies liable for this kind of thing? If you require individuals show actual damages as a result of some breech it becomes too difficult to connect any breach to the damage. One can statutorily presume damages but when does that apply? In a case like this if the damages were for any actual breach by hackers then you couldn't hold them liable yet and such a rule would actually encourage companies to keep exceedingly poor logs so no hack could be proven after the fact.

If you want to just apply damages any time the info is somehow 'hackable' even if no one has actually hacked it you have the big problem of how to distinguish cases like this from a lawsuit simply alleging that the financial company used X operating system, Y network equipment 5 years ago and we now know that combo of could have been breached using the following exploits. I mean any system will eventually be shown to have some flaw.

Is it about an external security researcher finding it before the internal guys do? Do we really want security researchers trying to find 0-days so that they can be used in liability suits against big businesses? That doesn't seem fair or appropriate but it's pretty hard to reliably differentiate degree of risk or similarity of flaws in a law that will be applied and interpreted by technically unsophisticated judges and juries.

Also, if you presume damages you've either got to somehow distinguish what kinds of records in what contexts are protected. I mean you don't want to hold your local dog boarding company liable for the same kinds of damages as a financial records company if they leak your dog's name weight breed and dietary restrictions. Similarly, even though facebook should be liable if they leak your CCN from their payment system records the same shouldn't apply if you put it in a post with privacy level set to 'Only Me' and their privacy settings are messed up.

The best of some bad options seems like an industry specific approach like HIPPA in which certain types of service providers are covered for certain types of info because of the kinds of services they offer. But I still worry this is a bad idea. If I want to put up a half-assed php script that helps people create some kind of form (say some kind of financial disclosure form) and have a few ads on the site it seems both inappropriate and deeply innovation stifling if I have to meet the same kind of security level that a bank of credit agency does just to offer a helpful online script even if it's one dealing with financial info.

IMO the best option is to instead create specific regs only for the credit agencies, banks and a few other highly regulated industries and then do everything else by letting companies (voluntarily) put up a bond guaranteeing the security of your info with them which pays out if some panel of experts judges it wasn't securely held. Circuments court difficulties and if you want to upload your info to Bob's insecure php script that's up to you but cautious people will only trust providers who have put up the most stringent and expensive kind of bond.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.